Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementation of SSO support #60

Closed
Tracked by #12
corang opened this issue Mar 7, 2024 · 4 comments · Fixed by #61
Closed
Tracked by #12

Implementation of SSO support #60

corang opened this issue Mar 7, 2024 · 4 comments · Fixed by #61
Labels
enhancement ✨ New feature or request help wanted Extra attention is needed

Comments

@corang
Copy link
Contributor

corang commented Mar 7, 2024

This is being driven from delivery needing GitLab to have SSO soon.

Gitlab requires a secret specified in gitlab.global.appConfig.omniauth.providers to use SSO features. The repo1 gitlab chart doesn't provide a way to create this secret and just expects it to exist before deployment if you specify it. The secret contains a json file similar to below:

{
  "name": "openid_connect",
  "label": "SSO",
  "args": {
    "name": "openid_connect",
    "scope": [
      "Gitlab"
    ],
    "response_type": "code",
    "issuer": "https://keycloak.###ZARF_VAR_DOMAIN###/auth/realms/baby-yoda",
    "client_auth_method": "query",
    "discovery": true,
    "uid_field": "preferred_username",
    "client_options": {
      "identifier": "dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_gitlab",
      "secret": "",
      "redirect_uri": "https://gitlab.###ZARF_VAR_DOMAIN###/users/auth/openid_connect/callback",
      "end_session_endpoint": "https://keycloak.###ZARF_VAR_DOMAIN###/auth/realms/baby-yoda/protocol/openid-connect/logout"
    }
  }
}

Currently the way pepr works with the sso key in the package CRD is it registers a new client with keycloak and then creates a secret in k8s with the information about that client, namely the generated secret.

Somehow there needs to be a way to consume the contents of the pepr created secret to create a secret for gitlab with the SSO client information in it, but also be optional in the case of not wanting to connect GitLab to an SSO (CI using uds-core-istio).

@corang corang added enhancement ✨ New feature or request help wanted Extra attention is needed labels Mar 7, 2024
@jeff-mccoy
Copy link
Member

Note you can specify a secret for the uds pkg CR. Also if we need to expand the operator to make this easier, just let us know. There are so many different ways to consume the values it became unwieldy.

@Racer159
Copy link
Contributor

Racer159 commented Mar 7, 2024

@Racer159
Copy link
Contributor

Racer159 commented Mar 7, 2024

Just realized naming conventions got to me and those are different

@Racer159
Copy link
Contributor

Racer159 commented Mar 7, 2024

@jeff-mccoy thoughts on adding a config value to a package definition's sso field that would let us template out a secret from the SSO config. At least for SWF, Gitlab, Mattermost, and SonarQube can all be configured from a secret that picks up keys within it (assuming we can set what those keys are)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement ✨ New feature or request help wanted Extra attention is needed
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants